Overview

overview

10

Static

static

1

PHILIP.exe

windows7-x64

10

PHILIP.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16/02/2023, 08:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PHILIP.exe

  • Size

    324KB

  • MD5

    443750f08bb402c1cee9f7ed5641de40

  • SHA1

    36e10876601d74747ade10db65ebba79fcdd7b72

  • SHA256

    dec27cdadd52f7d2264eb50ecbae1d43313c917594d9c4b93ea936b556f05902

  • SHA512

    d06a70a036d9602fcbdaf2157d6b98271f9877256f9cc6b7a3c7191f810b48bd0faf8e170f61800bad6e5fa50cdb29188a94d39d17463cfbde55755dccff090e

  • SSDEEP

    6144:vYa6lInxv/GBwkvnZkaIkDkiUjBEFefnDyhIHUe7NBG5LB:vYP2Uw2nQjiceFSDUc7NG1

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5662683474:AAFvSjyPXTiwhBPcFi8of3_-_FCdfhhN8x0/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHILIP.exe
    "C:\Users\Admin\AppData\Local\Temp\PHILIP.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
      "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe" C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
        "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
        3⤵
        • Executes dropped EXE
        PID:1092
      • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
        "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:520

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug
          Filesize

          7KB

          MD5

          fd2b5db4a3e41d39623fb54f73ea8f5e

          SHA1

          fcce51cbb53a0e5d7aa694f3322a09854480fd02

          SHA256

          0273b0a96847a19d6a9569c9ca02a9d95d196eebeaa666b58f74028451386475

          SHA512

          a0af6a7e4b8411776b0007be01ddcfbd05560f168eb1554874fb9729f6adb6f82044c969bf0e598c2992844e19faa06536b80316a11ac4fb2e0800e24a66a885

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svnwdctuh.ir
          Filesize

          266KB

          MD5

          e4e6989f4cb92813cb3415e839bac761

          SHA1

          711a5250fef9cbeb2181725bf8d15ab0b7e0bd47

          SHA256

          4042be4b86842251228cc7193b8ac462c02b5dd144bbad9556cef770176befcc

          SHA512

          812627eb2bb60c18151c90afd10187420aa97c924eade61720b1002341f188d60ccdf6f62c0c37a2f5bc647ef60ebe02fd170b484a3c2654308e2ec64a9d54cd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • \Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • \Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • \Users\Admin\AppData\Local\Temp\digdconvf.exe
          Filesize

          127KB

          MD5

          548c32a92cd221f0b0a1e5ab389bf5af

          SHA1

          ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

          SHA256

          ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

          SHA512

          d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

          Download Submit

        • memory/520-69-0x0000000000270000-0x00000000002A0000-memory.dmp

          Filesize

          192KB

          Download

        • memory/520-70-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1292-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

          Filesize

          8KB

          Download